The General Law on the Protection of Personal Data – LGPD
This article aims to expand the degree of knowledge of companies, especially mining companies, regarding the new regulation brought by the LGPD, as well as the importance and need for urgent adaptation of companies to devices and requirements legal provisions provided for therein.
Certainly you have heard of the General Law on the Protection of Personal Data (LGPD), Law 13.709/2018, which is one of the most discussed issues in recent times, arousing the curiosity of many and raising a number of technical and legal issues with regard to the processing of personal data collected and conveyed in various ways on a daily basis.
Thus, it must be clarified at first, the concept of personal data which, according to the LGPD itself, is information related to the natural person identified or identifiable, that is, a broad and open concept, because any data, alone (direct personal data ) or added to another (indirect personal data), which may allow the identification of a natural person, may be considered as personal data. As examples, we could mention the date of birth, profession, nationality, among others.
As well as the broad concept regarding personal data, the LGPD presents an open concept and an exemplifying list of actions that are considered as the processing of personal data, what is every operation performed with personal data, such as those that refer to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or Extraction.
Bringing the theme to the mineral sector, an area of expertise specialized by FFA LEGAL LTDA., the need to present, in a simple and objective way, the main information about the new General Law on the Protection of Personal Data so that companies, including mining risks, can assess future risks as to how it operates and then implement the NECESSARY CHANGE AND ADJUSTMENTS, which should occur BEFORE AUGUST 2020, when then LGPD will enter into force in its entirety.
The LGPD applies to any person, physical or legal, who performs the processing of personal data, online and/or offline, reasons why we may believe that lgpd has a very comprehensive application, involving most projects and activities of everyday business and, therefore, all mining companies are submitted to the LGPD.
It is important to highlight, that the LGPD also has extraterritorial application, that is, companies that not only have establishment in Brazil, but also offer services to the Brazilian market, or collect data from people located in the country.
Of utmost importance for Brazil, by providing greater legal certainty, it will attract relevant investments from abroad because it will greatly raise the level of legal data protection that we can now have.
LGPD’s objectives include protecting fundamental rights of freedom and privacy, as well as defining rules and limits for companies regarding data collection, storage, processing and sharing.
LGPD is guided, regarding data processing, by the principles of purpose (legitimate purposes), adequacy (compatibility), need (minimum collection) and transparency, and the purpose being one of the most relevant principles, through which the personal data should be used only for the specific purposes for which they have been collected and duly informed to their holders
As we know, all companies in the mineral sector, of all sizes, process personal data And as an example, we could mention the departments of human resources, supplies, logistics, among others.
Therefore, personal data subjects will now have rights to confirm the existence of processing, access to data, the correction of incomplete, incorrect or outdated data, anonymization, portability, deletion, information to be sharing of data, the possibility of receiving information about not providing consent and its consequences, and also to the revocation of consent.
And to oversee compliance with the LGPD, as well as impose sanctions in cases of violation, the National Data Protection Authority (ANPD) was created, which, depending on the situation, may apply from a simple warning to a fine of R$ 50,000,000.00 ( fifty million reais) for infringement.
For this reason, companies should take security, technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any inappropriate or unlawful treatment, thereby implementing good governance, security and prevention practices.
Therefore, in order to adapt to the LGPD, and in order to avoid possible violations of its legal provisions, which, as said, may result in very serious sanctions and high economic value, FFA LEGAL LTDA. recommends the adoption of some basic measures, such as:
- a) Seek the involvement of directors and executives from the beginning of the adequacy plan so that the protection of personal data is incorporated into the company’s values and thus the theme gains the engagement and strength required;
- b) Define the actions and a leader for the plan, identifying the main projects and areas of the company affected by the LGPD;
- c) Create a governance program in data protection with the development of measures and controls for monitoring the implementation of standards that comply with the LGPD;
- d) Structure the area with the indication of a person in charge (DPO – “Data Protection Officer”) for data protection;
- e) Develop and review legal documents with the performance of possible additives to existing contracts to adapt data protection standards, especially for those involving the processing and sharing of personal data;
- f) Ensure the exercise of the rights of the holders, medialy confirming the implementation of technical and organisational measures;
- g) Conduct internal training to present new personal data protection policies.
Very important, also, to present the 10 principles introduced by the LGPD, which will serve as guidance for good conduct in the protection of personal data, as well as for the practices that will be inadequate in the daily life of professional relationships, let us see:
1) Purpose: From the LGPD it will no longer be possible to process personal data for generic or indeterminate purposes. The processing of each personal information must be done for specific, legitimate, explicit and informed purposes. That is, companies should explain that they will use each of the personal data. These purposes must also be within the limits of the law and must be expressly accompanied by all relevant information for the holder. In addition, the company is not authorized to modify the purpose during treatment. If your startup requests customer email for the specific purpose of logging into the platform, you cannot automatically use that same email to send advertising, offers, etc.
2) Suitability: The personal data processed must be compatible with the purpose informed by the company. That is, your justification should make sense with the character of the information you ask for. For example: if your business is producing gravel, gold, etc., it will hardly be justifiable to ask users for health data. So if it’s not compatible, the treatment becomes inadequate.
3) Need: Companies in general should use only the data strictly necessary to achieve their purposes. Try to make a weighting between what is really essential to your business and what is just convenient. Remember that the more data you process, the greater your responsibility, including in cases of leaks and security incidents.
4) Free access: The person, data holder, has the right to consult, in a simple and free way, all the data that the company holds about it. In addition, questions such as: what the company does with its information, how the treatment is carried out, and for how long.
5) Data quality: Holders should be guaranteed that the information the company has about it is true and up-to-date. It is necessary to pay attention to the accuracy, clarity and relevance of the data, according to the need and for the purpose of its treatment.
6) Transparency: All information passed by the company, in all its media, must be clear, accurate and true. In addition, the company may not share personal data with others in a hidden way. If you pass on personal data to third parties, including to operators, vendors that are essential to the execution of the service, the holder needs to know.
7) Security: It is the responsibility of companies to seek procedures, means and technologies that ensure the protection of personal data from access by third parties, even if they are not authorized, as in cases of hacking. In addition, measures should be taken to resolve accidental situations, such as destruction, loss, alteration, communication or dissemination of personal data from their bases.
8) Prevention: The principle of prevention aims for companies to take prior measures to prevent damage from the processing of personal data. That is, companies must act before problems and not only after.
9) Non-Discrimination: Personal data can never be used to discriminate against or promote abuses against its owners. The LGPD itself has already created specific rules for the processing of data that are often used for discrimination, so-called sensitive personal data, such as those dealing with racial or ethnic origin, religious belief, political opinion, affiliation to organization of a religious, philosophical or political nature, given regarding health or sexual life and genetic or biometric data.
10) Responsibility and Accountability: In addition to worrying about fully complying with the Law, companies must have evidence and evidence of all measures taken to demonstrate their good faith and diligence. Some good examples are in the proof that they have done team training, the hiring of specialized consultancies, the use of protocols and systems that ensure data security and the facilitated access of the holder to the company whenever I need. Thus, understanding and internalizing lgpd’s true intention becomes easier for startups to design their business models and for all companies to process the data in practice.
We have no doubt that companies will go through an adaptation process, and in this sense we suggest the immediate development of a specific plan to adapt to the standard and the new rules, and it is imperative to highlight the need for companies to review and update the majority of their contracts and legal documents, which may be carried out through some internal actions (i) between the employees themselves; and (ii) external, to consumers and suppliers; the second, in relation to data provided to operators or collected from third parties, as well as any third party (E.g. data and personal information from third parties).
In this sense, the mining company, as an employer, must update contracts with all its employees, reviewing or adding clauses that ensure proper data processing by companies, regardless of the environment (physical or physical noting that the same procedure should be done in relation to suppliers of products and services, to which the company should provide unequivocal science regarding the processing of its data.
Furthermore, it will be essential to review contracts with third parties that, for example, deal with the management of human resources such as payroll, health insurance, recruitment, mail direct mail, accounting, purchase and sale of products, issuance and control of invoices, provision of legal services, among others, as well as when the company receives or access data from other companies, as would be the case of its third-party service providers (mine operation, cleaning, maintenance, security, etc.).
We understand, therefore, that the priority procedure is to make contractual adaptations in the employment contracts of employees themselves, since it is a daily fact the processing of their personal data in every company.
Given the importance of the theme, and considering that your company has an obligation to adapt to the LGPD, we in the FFA team are already available to help them, believing that it has become clairvoyant the importance of planning and adapting to the LGPD, with the greatest as soon as possible, under penalty of taking very high risks, such as those mentioned above, in particular the severe monetary penalties provided for in the Law.
This Article of: Luis Maurício Azevedo (OAB/RJ 80,412) and Rodrigo dos S. P. Cabral (OAB/RJ 116,820), respectively partner and senior lawyer of FFA LEGAL, office specialized in legal, accounting and administrative assistance to companies in the mineral sector, and directed to its clients and partners, being owned by FFA LEGAL.
LGPD – General Data Protection Law – Commented 2nd edition 2019 – Viviane Nóbrega Maldonado e Outros – Editora Revista dos Tribunais.